1 Design of Bloom Filter Array for Network Anomaly Detection Author: Jieyan Fan, Dapeng Wu, Kejie Lu, Antonio Nucci Publisher: IEEE GLOBECOM 2006 Presenter: Hsin-Mao Chen Date:2009/10/21

2 Outline Introduction Background Bloom Filter Array Data Structures Algorithm Random-keyed Hash Function Analysis Performance

3 Introduction Distributed Denial of Service (DDoS) attacks are the major threats to the Internet. The TCP-base DDoS attacks using spoofed source IP address are detected in the edge router through two-directional matching.

4 Background Two-directional(2D) matching A normal TCP flow generated from one end host to another should have a corresponding flow from the other direction.

5 Background

6 Bloom Filter M-bit vector K hash functionh 1 ()h 2 ()h 3 () Data1Data2Data3

7 Bloom Filter Array The key idea is to use a Bloom filter array to trade off a amount of accuracy, for much less space and time complexity.

8 Data Structures A smaller time slot τ, Γ = w × τ, where w is an integer. Two arrays of bit vectors, {IV i }, {RV i }, i ∈ Z w. An array of integers {C i }, i ∈ Z w. K hash functions, h i (·), i ∈ Z K. …… Γ τττ IV 1 RV 1 C 1 IV 2 RV 2 C 2 IV w RV w C w h 1 (), h 2 ()…h k ()

9 Algorithm Add new unmatched inbound flow. 1. Inbound packet is stored in at least one RV j. 2. Inbound packet is stored in IV i%w. …… τττ IV 1 RV 1 C 1 IV 2 RV 2 C 2 IV w RV w C w h 1 (), h 2 ()…h k () Γ

10 Algorithm The first matched outbound packet comes. 1. Outbound packet is not contained in RV j%w. 2. Outbound packet is contained in IV j%w. …… τττ IV 1 RV 1 C 1 IV 2 RV 2 C 2 IV w RV w C w h 1 (), h 2 ()…h k () Γ

11 Random-keyed Hash Function One kernel hash function with K randomly generated keys. We can generate as many keys as we want. The security issue is solved.

12 Analysis

13 Performance Trace data provided by Auckland University. as the signature of the packets. 2.4G Hz CPU and 1G memory. There are packets in the trace. The average processing rate is packets/second.

14 Performance Number of unmatched SYN packets